03-27-2012 01:19 AM
Hi,
Can I use 3rd Party certificate such as verisign, on Cisco IOS CA ? All i can see on cisco.com is self-signed certificate from router.
Thanks
-santo-
Solved! Go to Solution.
03-28-2012 07:49 AM
Santo,
That's fair enough. A key information to make sure customers understand that a private PKI infrustructure is (for the purpose of deployment such as GETVPN) as secure as provided by third part party.
Private PKI is not based on self signed certificates - only the root CA might need something like it :-)
That being said, for reliability and flexability I really suggest storing CA (ser, CRL, OCSP, backup of public/private keys) files on storage external to the router.
Key takeway is that a properly managed private PKI solution for deployments like DMVPN/GETVPN others is as secure as external 3rd party services (and often time order of magnitude cheaper).
M.
03-27-2012 06:06 AM
Santo,
IOS can act as a (root or sub-) CA. Typically verisign will not give you a certificate that will allow you to be a CA itself on their behalf (I might be wrong).
That being said, you can use certificates signed by any third party for authentication etc.
What is the end goal?
M.
03-27-2012 07:47 AM
Hi Marcin,
thanks alot for your reply. I have impression that using 3rd party certificate is more secured. Furthermore, when the certificate is expired, i will be notified by that company. Because I will be managing alot of certificates.
What do you think ?
regards
-santo-
03-27-2012 08:52 AM
Santo,
That's true certificates are a much nicer way to manage security and in term of IKE are more secure than the alternative which is pre shared key (typically).
However that being said PKI implmentations are not limited to using 3rd party certificates, you can very well use your own certificate authority to issue certificates, microsoft has good implmentation, IOS has a CA, even ASA has one (although limited), there is also plenty of free ones available.
What is it that you're trying to accomplish by utilizing certificates.
Marcin
03-28-2012 07:25 AM
Hu Marcin,
My ultimate goal using certificate is to have better security compared to pre-shared keys.
I prefer to use IOS CA because using microsoft CA that means i need to invest another server. I am trying to do managed security services such as GETVPN for my customers. My opinion is that having the the 3rd party certificate, my customer will have impression that it will be more secured than self-signed such as from router itself.
what do you think ?
regards
-santo-
03-28-2012 07:49 AM
Santo,
That's fair enough. A key information to make sure customers understand that a private PKI infrustructure is (for the purpose of deployment such as GETVPN) as secure as provided by third part party.
Private PKI is not based on self signed certificates - only the root CA might need something like it :-)
That being said, for reliability and flexability I really suggest storing CA (ser, CRL, OCSP, backup of public/private keys) files on storage external to the router.
Key takeway is that a properly managed private PKI solution for deployments like DMVPN/GETVPN others is as secure as external 3rd party services (and often time order of magnitude cheaper).
M.
03-28-2012 08:06 AM
thanks alot marcin for your reply. I really really appreciate your feadbacks.
regards
-santo-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide